Something went wrong
Closed this issue · 19 comments
$ sudo wg-quick up ./wghub.conf
[#] ip link add wghub type wireguard
[#] wg setconf wghub /dev/fd/63
Line unrecognized: `ens2-jTCPMSS--clamp-mss-to-pmtu'
Configuration parsing error
[#] ip link delete dev wghub
What does that mean? Also, $ sudo wg show shows nothing.
The output from the wg-quick command should look like this:
$ sudo wg-quick up ./wghub.conf
[#] ip link add wghub type wireguard
[#] wg setconf wghub /dev/fd/63
[#] ip -4 address add 10.135.91.1/24 dev wghub
[#] ip -6 address add fd64:6857:7327:6573::1/64 dev wghub
[#] ip link set mtu 1420 up dev wghub
[#] iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
[#] ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[#] iptables -A FORWARD -i wghub -j ACCEPT
[#] ip6tables -A FORWARD -i wghub -j ACCEPT
[#] ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[#] sysctl -q -w net.ipv4.ip_forward=1
[#] sysctl -q -w net.ipv6.conf.all.forwarding=1
Something has eaten all the spaces from iptables call after the -o. Could you check how this is configured in the wghub.conf file? Is your copy of the easy-wg-quick script also lack spaces in this command parameters? Could you paste the output of the grep -ri TCPMSS command? It should look like this:
$ grep -ri TCPMSS
easy-wg-quick:PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
easy-wg-quick:PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
easy-wg-quick:PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
easy-wg-quick:PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
wghub.conf:PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
wghub.conf:PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
wghub.conf:PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
wghub.conf:PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
All spaces are in place here. What /bin/sh implementation your operating system use? BASH, Dash, ash, etc.
$ grep -ri TCPMSS
wghub.conf:ens2 -j TCPMSS --clamp-mss-to-pmtu
wghub.conf:ens2 -j TCPMSS --clamp-mss-to-pmtu
wghub.conf:ens2 -j TCPMSS --clamp-mss-to-pmtu
wghub.conf:ens2 -j TCPMSS --clamp-mss-to-pmtu
easy-wg-quick:PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
easy-wg-quick:PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
easy-wg-quick:PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
easy-wg-quick:PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
wghub.conf
Address = ip/24, ipv6/64
ListenPort = port
PrivateKey = <my-key>
SaveConfig = false
PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens2
ens2 -j TCPMSS --clamp-mss-to-pmtu
PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens2
ens2 -j TCPMSS --clamp-mss-to-pmtu
PostUp = iptables -t nat -A POSTROUTING -o ens2
ens2 -j MASQUERADE
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens2
ens2 -j MASQUERADE
PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens2
ens2 -j TCPMSS --clamp-mss-to-pmtu
PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens2
ens2 -j TCPMSS --clamp-mss-to-pmtu
PostUp = ip6tables -t nat -A POSTROUTING -o ens2
ens2 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o ens2
ens2 -j MASQUERADE
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
# 10: t_mobile > wgclient_t_mobile.conf
[Peer]
PublicKey = <public-key>
PresharedKey = <key>
AllowedIPs = ip/32, ipv6/128
# 11: t_pc > wgclient_t_pc.conf
[Peer]
PublicKey = <public-key>
PresharedKey = <key>
AllowedIPs = ip/32, ipv6/128
What /bin/sh implementation your operating system use? BASH, Dash, ash, etc.
Dash
It looks like something is wrong with parsing default route interface. Like ens2\nens2 is put into configuration files instead of ens2. Could you post output of ip route sh? Do you have more than one default entry? I will push a fix idea on the other branch. Could you test it, please?
$ ip route sh
default via 10.19.8.64 dev ens2
default via 10.19.8.64 dev ens2 proto dhcp src 10.19.8.65 metric 100
10.19.8.64 dev ens2 proto dhcp scope link src 10.19.8.65 metric 100
10.19.8.64/31 dev ens2 proto kernel scope link src 10.19.8.65
Sorry, I can't test your fix right now, may be tomorrow.
btw, how can I clean up all the stuff before testing? should I clean it up?
If you are using git clone reset and clean.
git reset --hard
git clean -xfd
If not, just remove files with rm.
rm -f *.txt *.key *.conf *.bak
Well, I was able to create tunnel, but seems it still not works - I can't ping anything via created connection. The same situation for mobile and PC. What else can I check?
Please check if you can ping another end of the tunnel, both over VPN IP address, and normal IP. Also, you can paste your routing tables (ip route sh). Do you use any firewalling? What wg show says about sent and received packets?
$ ip route sh
default via 10.19.8.64 dev ens2
default via 10.19.8.64 dev ens2 proto dhcp src 10.19.8.65 metric 100
10.19.8.64 dev ens2 proto dhcp scope link src 10.19.8.65 metric 100
10.19.8.64/31 dev ens2 proto kernel scope link src 10.19.8.65
10.205.11.0/24 dev wghub proto kernel scope link src 10.205.11.1
$ sudo wg show
interface: wghub
public key: aUpbifXfPa/Du5HhZamkbURYeIPzJbyAXLu7GuQLX24=
private key: (hidden)
listening port: 64724
peer: z1RbyDzwiukoad6pBs5GI+SnejlLtNQWtLirTEbfB1I=
preshared key: (hidden)
allowed ips: 10.205.11.10/32, fd41:2549:5524:1217::10/128
Do you use any firewalling?
No, I don't.
About pings - I have no ping from client to hub (same for internal and public ip), but it is ok in the opposite direction.
P.S. I just noticed, the hub-->client ping exists even if connection is switched off in client app (mobile). Is it expected behavior?
Your wg show is quit strange. I expected lines like this:
peer: [redacted]
preshared key: [redacted]
endpoint: [redacted]
allowed ips: [redacted]
latest handshake: 1 minute, 46 seconds ago
transfer: 6.11 GiB received, 1.77 GiB sent
persistent keepalive: every 25 seconds
It might mean that no handshake was ever done. What do you have in the routing table on the client? Is it possible that the wireguard default gateway overwritten the original default gateway setting, and your client lost any routed connection capabilities?
I don't know, where to take a look at the routes on android? You're right, no any successful handshakes there.
Is that Andorid device able to directly ping what is in the Endpoint setting in the [peer] section of the client config?
Network Analyzer has ability to show routing table on my Androis phone. Wireguard use tun0 (user-space implementation). I have two default routes listed. One for my home WiFi router and the second for the tun0 interface.
Could you try this quick and dirty patch inspired by the OpenVPN's def1 routing idea? You can also modify already generated configuration directly on the phone by using "edit" option of the imported configuration (change 0.0.0.0/0 to 0.0.0.0/1, 128.0.0.0/1).
diff --git a/easy-wg-quick b/easy-wg-quick
index d7bd61c..e609ccf 100755
--- a/easy-wg-quick
+++ b/easy-wg-quick
@@ -77,7 +77,7 @@ get_ext_net_ip() {
create_client_allowedips() {
echo "No intnetallowedips.txt... creating one!"
- echo "0.0.0.0/0, ::/0" > intnetallowedips.txt
+ echo "0.0.0.0/1, 128.0.0.0/1, ::/0" > intnetallowedips.txt
}
Do you use some legacy Android version? It's quite strange that your default route is lost when you bring VPN connection up.
I edited imported config on the phone, unsuccessful, still no routing. My Android version is 10.
Did you disconnect the WiFi and connect back after Wireguard configuration was modified? This is probably required to set routing to 0.0.0.0/0 back. Does your default getway still gets removed after VPN connection is initiated?
Just did it, nothing changed after reconnect. Config is same as I leave it with your proposed editions.
I'm closing this as inactive.